GDPR: what accountability measures does the EU Regulation require?

Posted by media on March 6, 2018 at 9:00 AM


The new European General Data Protection Regulation (GDPR), which will be applicable as of 25 May 2018, introduces a historic change in terms of commitment through the concept of accountability.

This principle of accountability is the essential element of one of the pillars on which this legislation is based: the obligation to prevent damage by all organizations that deal with personal data.

Next, we will carry out a brief analysis of the accountability measures set out in the GDPR.

This post is also available in Spanish.


The European General Data Protection Regulation: ensure and demonstrate

All companies, freelancers and entities have the obligation to adapt measures that reasonably ensure that, a priori, they are able to comply with the principles, guarantees and rights set out in the
Regulation. The objective is to avoid damage to data subjects because damage resulting from privacy infringements can be very difficult or impossible to repair afterwards.

“The protection of natural persons in relation
to the processing of personal data is a fundamental right.”

Recital 1 GDPR

Furthermore, such entities will not only have to comply with the Regulation, but they must also be able to prove their compliance with the Regulation. The objective is to avoid the occurrence of risks of varying probability and severity which threaten the fundamental rights of data subjects.

There is an important change with respect to the current regime that seeks to avoid the infringement of the rights of the interested parties as a main obligation. The future GDPR tries to anticipate the infringement or injury of rights, although it also establishes significant sanctions when the regulations are not complied with.

In practical terms, this principle requires organisations to analyse what data they are dealing with, what kind of processing operations they carry out and for what purposes. Based on this knowledge, they must determine which measures they will apply, making sure that these measures are the most appropriate for reaching the requirements of the
GDPR and that they can demonstrate this to the data subjects and supervising authorities.



Active responsibility measures

The measures that the GDPR requires that the controller, and sometimes the processor, apply to ensure that processing is carried out in accordance with the Regulation and that this compliance can be demonstrated are the following:


1. Risk analysis

The new GDPR requires all organizations that process data to perform a risk analysis of their processing to determine what measures to apply and how to do it.

The type of analysis will vary depending on:

  • the types of processing,
  • the nature of the data,
  • the number of affected data subjects,
  • the quantity and variety of processing that the same organisation carries out.

These analyses can be very simple in entities that do not carry out more than a few simple processing activities that for example do not involve sensitive data. But they can be more complex in entities that carry out substantial processing, that affect a large number of data subjects or that, due to its characteristics, require careful risk assessment.




2. Record of processing activities

Principle of Transparency “Personal data will be processed lawfully, fairly and in a transparent manner in relation to the data subject.”  (Art. 5.1.a GDPR)

This principle focuses on facilitating the relations between the controller and the data subject, as well as between the controller and the control authorities. Its materialization entails an important change, since the obligation to notify and register all processing activities to the supervising authority disappears.

In the new GDPR, a “Record of processing activities” has been defined.

This record will be carried out internally and will contain, among others, the following data:

  • name and contact information of the controller,

  • name and information of the Data Protection Officer (if appointed),

  • purpose of the processing,

  • description of the data subjects’ categories,

  • description of processed data categories,

  • international data transfers.


3. Data protection by design and by default

The new GDPR specifies that safety measures should be applied taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons. (Article 25 Data protection by design and by default).

Data protection by design and by default is a matter of strategy that both the controller and the processor should take into consideration to ensure the right to data protection through the adoption of measures that consider the data subject, from the beginning in which an idea that can lead to an application, service or product is generated.


4. Security measures

The new European General Regulation on Data Protection talks about “appropriate technical and organisational measures” to guarantee a level of security appropriate to the risk but does not specify which of the existing ones it considers optimal for each case.

The GDPR, under the principle of accountability (Article 5.2), requires the controller to apply the appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing is in accordance with the Regulation.

Some of these measures would be, for example, custody of media, security in communication networks, backup copies or data access control.

The GDPR proposes, as an effective mechanism for verifying compliance, adherence to codes of conduct or to certification mechanisms (Article 42.3 of the GDPR).

Therefore, what the GDPR requires is that companies have a conscious, diligent and proactive attitude to data processing, being able to demonstrate, if necessary, the security measures applied.

GDPR_ Security_measures.jpeg

5. Notification of data security violations

Another of the most important novelties is a new obligation that the GDPR imposes on the data controller: notifying data security violations. In other words, the data controller must notify the competent authority of any security breach that has occurred within 72 hours of becoming aware of its occurrence.

In addition, if the breach involves a risk for the data subject, they should also be notified.

A security breach or data security violation is defined as to be any incident that causes the accidental or illegal destruction, loss, modification of personal data, or unauthorised communication or unauthorised access to said data.


6. Impact Assessment on Data Protection

Another new obligation set out by the GDPR is to carry out an impact assessment on data protection prior to processing data for organisations that perform data processing that may involve a high risk to the rights and freedoms of the data subjects.

The origin, nature, particularity and severity of such risk must be assessed (Recital 84 of the GDPR).

Although the Regulation does not contemplate any specific methodology for carrying out Impact Assessments, it sets out their minimum content as follows:

  • The detailed description of the following:
    1. the planned data processing operations,

    2. the different purposes of the processing and

    3. if applicable, of the legitimate interest pursued by the controller;

  • An analysis of the necessity and the proportionality of the aforementioned processing operations in relation to their purpose;
  • The required risk assessment for the rights and freedoms of the aforementioned data subjects, and
  • The measures planned to deal with said risks, including guarantees, security measures and mechanisms that ensure data protection and demonstrate compliance with the Regulation.


Related post >> Infographic GDPR: data protection for the digital era in Europe


In short, what the GDPR requires is a conscious, diligent and proactive attitude towards data processing that is carried out, being able to demonstrate the security measures applied if necessary.

Acting only when an infringement has already occurred is insufficient for this new Regulation. Proactive compliance with the standard is imposed as a means to generalise a safe and respectful practice with privacy in the EU.

What Brussels is looking for is the installation and establishment of a culture of compliance in organisations. For this reason, transparency and respect for the privacy of personal data must be fundamental objectives for today’s companies, freelancers and entities.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts